Hello,I am trying to install the SCOM agent on a server in another domain.MS Server in DomainAServer in DomainBMy account from DomainA is Local Administrator on the server in DomainBAny specifics for accross domain management?Any log which could help tracing the failure?is_broker_enabled = 1 for OperationsManagertwo-way bidirectional trust relationship = yesfirewall offI saw this note from Graham Davies:http://social.technet.microsoft.com/Forums/en-US/operationsmanagerdeployment/thread/3270d40e-37db-4877-bff6-4142b623ab8b/"Make sure the SQL Server Service and SQL Server agent are running as domain user accounts. "So Local System is no okay when using SCOM accross domains?Thanks,Dom System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 Support

Are you planning to use certificates or gateway server? How are trusts setup between domains? http://technet.microsoft.com/en-us/library/bb432149.aspx

Hi,No Gateway No Certificatetwo-way bidirectional trust relationship = yesThanks,Dom System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 Support

Hi Dom,>two-way bidirectional trust relationship = yesThis must be a forest trust (to support kerberos). Or you need a certificate. Is this a forest trust?http://OpsMgr.ru/

Dom AFAIK if you go to a folder on your RMS and you go to properties - security - edit- if you can browse the other domain and add a user from that domain than I believe you have a two way trust in place. To start things off Dom why not try and just do a manual install on that server. If it works and communicates than you have no issues with ports/firewalls, trusts etc.You could also try and telent your client on the SCCM client install portPaulPaul Keely

One other thing is that here is an agent deploy troubleshooting chart Console based Agent Deployment Troubleshooting table This post is a list of common agent push deployment errors… and some possible remediation options. Most common errors while pushing an agent: Error Error Code(s) Remediation Steps The MOM Server could not execute WMI Query "Select * from Win32_Environment where NAME='PROCESSOR_ARCHITECTURE'" on computer server.domain.com Operation: Agent Install Install account: domain\account Error Code: 80004005 Error Description: Unspecified error 80004005 1. Check the PATH environment variable. If the PATH statement is very long, due to lots of installed third party software - this can fail. Reduce the path by converting any long filename destinations to 8.3, and remove any path statements that are not necessary. 2. The cause could be corrupted Performance Counters on the target Agent. To rebuild all Performance counters including extensible and third party counters in Windows Server 2003, type the following commands at a command prompt. Press ENTER after each command. cd \windows\system32 lodctr /R Note /R is uppercase. Windows Server 2003 rebuilds all the counters because it reads all the .ini files in the C:\Windows\inf\009 folder for the English operating system. How to manually rebuild Performance Counter Library values http://support.microsoft.com/kb/300956 3. Manual agent install. The MOM Server could not execute WMI Query "Select * from Win32_OperatingSystem" on computer “servername.domain.com” Operation: Agent Install Install account: DOMAIN\account Error Code: 800706BA Error Description: The RPC server is unavailable. 8004100A 800706BA 1. Ensure agent push account has local admin rights 2. Firewall is blocking NetBIOS access 3. Inspect WMI health and rebuild repository if necessary 4. Firewall is blocking ICMP (Live OneCare) 5. DNS incorrect The MOM Server failed to open service control manager on computer "servername.domain.com". Access is Denied Operation: Agent Install Install account: DomainName\User Account Error Code: 80070005 Error Description: Access is denied. 80070005 80041002 1. Verify SCOM agent push account is in Local Administrators group on target computer. 2. On Domain controllers will have to work with AD team to install agent manually if agent push account is not a domain admin. 3. Disable McAfee antivirus during push The MOM Server failed to open service control manager on computer "servername.domain.com". Therefore, the MOM Server cannot complete configuration of agent on the computer. Operation: Agent Install Install account: DOMAIN\account Error Code: 800706BA Error Description: The RPC server is unavailable. 800706BA 1. Firewall blocking NetBIOS ports 2. DNS resolution issue. Make sure the agent can ping the MS by NetBIOS and FQDN. Make sure the MS can ping the agent by NetBIOS and FQDN 3. Firewall blocking ICMP 4. RPC services stopped. The MOM Server failed to acquire lock to remote computer servername.domain.com. This means there is already an agent management operation proceeding on this computer, please retry the Push Agent operation after some time. Operation: Agent Install Install account: DOMAIN\account Error Code: 80072971 Error description: Unknown error 0x80072971 80072971 This problem occurs if the LockFileTime.txt file is located in the following folder on the remote computer: %windir%\422C3AB1-32E0-4411-BF66-A84FEEFCC8E2 When you install or remove a management agent, the Operations Manager 2007 management server copies temporary files to the remote computer. One of these files is named LockFileTime.txt. This lock file is intended to prevent another management server from performing a management agent installation at the same time as the current installation. If the management agent installation is unsuccessful and if the management server loses connectivity with the remote computer, the temporary files may not be removed. Therefore, the LockFileTime.txt may remain in the folder on the remote computer. When the management server next tries to perform an agent installation, the management server detects the lock file. Therefore, the management agent installation is unsuccessful. http://support.microsoft.com/kb/934760/en-us The MOM Server detected that the following services on computer "(null);NetLogon" are not running. These services are required for push agent installation. To complete this operation, either start the required services on the computer or install the MOM agent manually by using MOMAgent.msi located on the product CD. Operation: Agent Install Remote Computer Name: servername.domain.com Install account: DOMAIN\account Error Code: C000296E Error Description: Unknown error 0xC000296E C000296E 1. Netlogon service is not running. It must be set to auto/started The MOM Server detected that the following services on computer "winmgmt;(null)" are not running C000296E 1. WMI services not running or WMI corrupt The MOM Server detected that the Windows Installer service (MSIServer) is disabled on computer "servername.domain.com". This service is required for push agent installation. To complete this operation on the computer, either set the MSIServer startup type to "Manual" or "Automatic", or install the MOM agent manually by using MOMAgent.msi located on the product CD. Operation: Agent Install Install account: DOMAIN\account Error Code: C0002976 Error Description: Unknown error 0xC0002976 C0002976 1. Windows Installer service is not running or set to disabled – set this to manual or auto and start it. The Agent Management Operation Agent Install failed for remote computer servername.domain.com. Install account: DOMAIN\account Error Code: 80070643 Error Description: Fatal error during installation. Microsoft Installer Error Description: For more information, see Windows Installer log file "C:\Program Files\System Center Operations Manager 2007\AgentManagement\AgentLogs\servernameAgentInstall.LOG C:\Program Files\System Center Operations Manager 2007\AgentManagement\AgentLogs\servernameMOMAgentMgmt.log" on the Management Server. 80070643 1. Enable the automatic Updates service…. Install the agent – then disable the auto-updates service if desired. Call was canceled by the message filter 80010002 Install latest SP and retry. One server that failed did not have Service pack installed The MOM Server could not find directory \\I.P.\C$\WINDOWS\. Agent will not be installed on computer "name". Please verify the required share exists. 80070006 1. Manual agent install Possible locking on registry? http://www.sysadmintales.com/category/operations-manager/ Try manual install. Verified share does not exist. The network path was not found. 80070035 1. Manual agent install The Agent Management Operation Agent Install failed for remote computer "name". There is not enough space on the disk. 80070070 1. Free space on install disk The MOM Server failed to perform specified operation on computer "name". The semaphore timeout period has expired. 80070079 NSlookup failed on server. Possible DNS resolution issue. Try adding dnsname to dnssuffix search list. The MOM Server could not start the MOMAgentInstaller service on computer "name" in the time. 8007041D 80070102 NSlookup failed on server. Possible DNS resolution issue. Verify domain is in suffix search list on management servers. The Agent Management Operation Agent Install failed for remote computer "name" 80070643 1. Ensure automatic updates service is started 2. Rebuild WMI repository 3. DNS resolution issue The Agent Management Operation Agent Install failed for remote computer "name". Another installation is already in progress. 80070652 Verify not in pending management. If yes, remove and then attempt installation again. The MOM Server detected that computer "name" has an unsupported operating system or service pack version 80072977 Install latest SP and verify you are installing to Windows system. Not discovered Agent machine is not a member of domain Ping fails 1. Server is down 2. Server is blocked by firewall 3. DNS resolving to wrong IP. Fail to resolve machine 1. DNS issue The MOM Server failed to perform specified operation on computer "name". Not enough server storage… 8007046A 1. This is typically a memory error caused by the remote OS that the agent is being installed on. There are currently no logon servers available to service the logon request. 8007051F 1. Possible DNS issue This installation package cannot be installed by the Windows Installer service. You must install a Windows service pack that contains a newer version of the Windows Installer service. 8007064D 1. Install Windows Installer 3.1 The network address is invalid 800706AB Possible DNS name resolution issue. Tried nslookup on server name and did not get response. Verify domain is in suffix search list on management servers. The MOM Server failed to perform specified operation on computer servername.domain.com 80070040 1. Ensure agent push account has local admin rights The MOM Server detected that the actual NetBIOS name SERVERNAME is not same as the given NetBIOS name provide for remote computer SERVERNAME.domain.com. 80072979 1. Correct DNS/WINS issue. 2. Try pushing to NetBIOS name Paul Keely

Dom AFAIK if you go to a folder on your RMS and you go to properties - security - edit- if you can browse the other domain and add a user from that domain than I believe you have a two way trust in place. To start things off Dom why not try and just do a manual install on that server. If it works and communicates than you have no issues with ports/firewalls, trusts etc.You could also try and telent your client on the SCCM client install portPaul Paul Keely Hi Paul,Yes I am able to add a User Account from the other domain.I have done a manual "test" install the agent got installed but did not report to the server (I might have not waited enough!!! I will try again but how long should I wait... ). But I don't like the Maual install as I saw all the extra tasks to be done as the computer is set "Remotely Manageable = No and during Upgrade all machines have to be redone one by one with local access (not from the console if I am right) also I don't have the "Change Primary Management Server" available (it is grayed out) and as we have a lot of machines moving especially for Desktop it is a wall for me so far...I tried TELNET on port 5723 it does not work but I have the same result on Agent already installed ... Strange...Thanks,Dom System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 Support

Hi Paul,Where should I look for these errors as so far the discovery is not complete so I have nothing on the local machine itself? Any log on the server?Thanks,DomSystem Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 Support

Hi Dom,>two-way bidirectional trust relationship = yesThis must be a forest trust (to support kerberos). Or you need a certificate. Is this a forest trust? http://OpsMgr.ru/ Hi Alexey,I have Domain trusted by this domain (outgoing trusts)Domain A trusted by Domain B - trust type = Externaland Domain that trust this domain (incoming trusts)Domain B trusted by Domain A - trust type = External Two-way: Users in the local domain can authenticate in the specified domain and users in the specified domain can authenticate in the local domain. This trust is not transitive. Only users from the directly trusted domain may authenticate in the trusting domain. Where should I check for the forest trust and the SCOM Documentation for the certificate?Why should I use a certificate as Microsoft Documentationis stating for untrusted domain ONLY?http://technet.microsoft.com/en-us/library/bb735408.aspxWhere is the error mentionning it is a certificate issue? Which log file is showing this error?Thanks,Dom System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 Support

>Why should I use a certificate as Microsoft Documentationis stating for untrusted domain ONLY?"An agent and the management server use Windows authentication to mutually authenticate with each other before the management server accepts data from the agent. The Kerberos version 5 protocol is the default method for providing authentication." (http://technet.microsoft.com/en-us/library/bb735408.aspx) Only forest trust supports Kerberos. Even if you'll be able to install (push) agent it will not work over external trusts.If your agent and server are in different AD forest then you're have only two options to get it working:- Forest trust- Certificate trust (certificate authentication) http://OpsMgr.ru/

Hi Alexey,What do you you call forest trust?I have the two domains already set with the forest trust as stated in the articles: http://technet.microsoft.com/en-us/library/cc755700(WS.10).aspxhttp://technet.microsoft.com/en-us/library/cc780479(WS.10).aspx To create a forest trust Open Active Directory Domains and Trusts. In the console tree, right-click the domain node for the forest root domain, and then click Properties. On the Trust tab, click New Trust, and then click Next. On the Trust Name page, type the DNS name (or NetBIOS name) of another forest, and then click Next. On the Trust Type page, click Forest trust, and then click Next. On the Direction of Trust page, do one of the following: To create a two-way, forest trust, click Two-way.Users in this forest and users in the specified forest can access resources in either forest. - Following these steps all is in place alreadyTwo-way: Users in the local domain can authenticate in the specified domain and users in the specified domain can authenticate in the local domain.This trust is not transitive. Only users from the directly trusted domain may authenticate in the trusting domain.Two-way: Users in the local domain can authenticate in the specified domain and users in the specified domain can authenticate in the local domainThis trust is not transitive. Only users from the directly trusted domain may authenticate in the trusting domain.Domain Wide Authenticationwhat do I miss?Thanks,Dom System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 Support

Hi Dom,>What do you you call forest trust?I call 'forest trust' a trust realtonships you mentioned above (http://technet.microsoft.com/en-us/library/cc755700(WS.10).aspx). In early posts you said that you have 'External' trusts. External trust is a NT4-style trusts which not support kerberos. And I payed your attention on fact that you must have kerberos-enabled type of a trust to get agent working without certificates. Can you check this on agent machine? netdom trust /d:DomainA /verify /KERBEROS>My account from DomainA is Local Administrator on the server in DomainBAre you added your account directly to local admin group or you are added your account to some goup fron DomainB and then added this group to local admins? If you're added to a group from DomainB first it may be a SID Filtering issue.To enshure you have access to remote server can you run this script on RMS (with your account you use to push agent)?strComputer = "Paste_Remote_Computer_FQDN_Here" Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2") Set colItems = objWMIService.ExecQuery( _ "SELECT * FROM Win32_OperatingSystem",,48) For Each objItem in colItems Wscript.Echo "-----------------------------------" Wscript.Echo "Win32_OperatingSystem instance" Wscript.Echo "-----------------------------------" Wscript.Echo "Caption: " & objItem.Caption Wscript.Echo "CSName: " & objItem.CSName Wscript.Echo "Locale: " & objItem.LocaleNext http://OpsMgr.ru/

Hello Alexey,1. netdom trust /d:DomainA /verify /KERBEROS (I tried netdom trust DomainB /d:DomainA /verify /KERBEROS as the netdom trust /d:DomainA /verify /KERBEROS is sending me to the NETDOM HELP the parameter /d was unexpected...)The command failed to complete sucessfullyI tried also from the RMS to the client I have the same failure ... I tried even netdom trust DomainA /d:DomainB /verify /KERBEROSornetdom trust DomainB /d:DomainA /verify /KERBEROSor netdom trust DomainA /d:DomainA /verify /KERBEROSI tried also with /domain but the command still fails...this seems to be due to the account used to pass the command... it was not a Domain Admin.2. my account is added individually not through a group3. running the script: wscript Remote_access.vbs I getCaption: Microsoft(R) Windows(R) Server 2003 Enterprise Edition x64 EditionCSName: VME2K7MB1Locale: 0409The script has been run with a Domain Administrator Account on both domains and the same code for Locale 0409 is displayed.Thanks,Dom System Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 Support

I need to review this again... Thanks,DomSystem Center Operations Manager 2007 / System Center Configuration Manager 2007 R2 Support

I Think what you need is a SCOM Gateway Server and deploy agents with certificate. Take a Look on how to... Agents that lie outside the trust boundary of management servers http://technet.microsoft.com/en-us/library/bb432149.aspx Thanks, Gustavo Faleiro Bastos ___________________________________________________ Gfal Tecnologia at www.gfal.com.br